Prevent deployment when the target branch is not the default branch

[GrantBirki]

Currently, you are able to open a pull request that is targeting a branch other than the default (i.e. main) and you can deploy that branch while bypassing branch protection rules.

For example, you might have a branch protection rule on main that says a PR must be approved before it can be deployed. If you simply open a PR that targets a branch other than main, you would be able to deploy those changes without an approval.

Example:

gitGraph
    commit
    commit
    branch develop
    checkout develop
    commit
    commit
    branch bug-fix
    commit id: "fix error" type: HIGHLIGHT

Loading

In this example, you could not deploy any of the commits from the develop branch as they are trying to merge into the main branch which has a branch protection rule requiring passing CI, approvals, etc. However, if you open a PR from the bug-fix branch, you could .deploy the fix error commit without issues since it is not targeting a branch with branch protection (or rulesets).

This is a bug and it should be resolved.

[S3bb1]

HI @GrantBirki

We just ran into your "bug" but on our side its intended behavior that we allow deploying from these branches to specific environments. Is there a setting to disable this error?

[GrantBirki]

@S3bb1 would you be able to go into more details around how/why you are using this deployment pattern?

Being able to bypass checks, approvals, and branch protection settings is considered very dangerous.

There is currently not a way to disable the safety checks that I added but that could be changed.

[S3bb1]

Hi @GrantBirki

assume we have a private package and working atm on the main branch, but also have a second branch which will act as a bigger feature release.

Now we create PRs which point towards the "bigger feature" branch and want to deploy these PRs to specific development environments.

There is also a bigger DRAFT PR which points back to main from the "bigger feature" branch. This was opened now to be able to deploy to the dev instances, after a PR of the "bigger feature" was merged.

[GrantBirki]

@S3bb1 Do you have some sort of branch protections or rulesets applied to these "bigger feature" branches? If so, then that would make your workflow a lot more "safe".

Either way, I will look into making an opt-out option for your use case today as I did not indent on this initial change to be breaking in this way for folks.

[S3bb1]

We have rulesets applied there :)
No hurry with that config, my initial question was just if I can opt out there 👍 we have now a solution which works for our needs at the moment.

Thank you in general for your time and efforts on this project.

[GrantBirki]

@S3bb1 I have merged #361 which contains changes to disable the logic that is blocking your team.

The latest pre-release is available as well: v10.2.0.

Please go ahead and test it out and let me know if it works for you. Thanks!